Delegated Account Recovery – Kill the “forgot password” email
Delegated Account Recovery
Tuesday 2G
Convener: Brad Hill @hillbrad
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
fb.me/recovery
http://github.com/facebook/DelegatedRecoverySpecification
Presented by Brad Hill from Facebook
Background:
· People still manage to forget or lose things; yubikey, etc.
· E3e email where I lose my device; One solution is just to lose the data
· Smtp / plain text email based recovery is baseline
· Pull model; use oauth to pull data towards me – current setup
· Push-based model; wrap up my identity in a recovery token
· Push token to facebook, save it for me in my account
· It’s opaque, so facebook doesn’t see what the data wrapped into account recovery is
Approach; similar to an oauth flow, but it’s not an oauth based system:
1. User creates account at e.g. github
2. Github wraps an opaque token and relays it back through the user to fb
3. User authenticates to fb
4. Fb stores opaque token, and signs it
5. User loses authentication to github
6. User requests access to github
7. Redirects to facebook and reauthenticates to fb
8. Facebook relays the token back to github
9. Github checks fb signature to ensure it’s appropriate
10. If it is, the user can recover the account
What’s in the token; binary structure:
· ID: 128 bit number chosen by issuer of token
· Issuer string (e.g. github)
· Audience string (e.g. facebook)
· Timestamp
· One byte of options
· Data field; is opaque: notes here.
· Token binding
· Signature – nist p256
· When returned, it gets wrapped in a countersigned token
· Low-end implementation is map github UID to facebook to SHA256 of token.
Misc Information:
· FB and github each know that a party holds an account, but not who the party is
· User gets to choose where to save it, and github allows you to choose where to save it
· Question – lifetime of that token
· Root of trust is the .well-known URL
· Counter-sign of keys helps make the token useless unless it’s signed, so if there’s a dump of the unsigned tokens, the tokens are useless
· Key splitting is possible, but outside the protocol
Maintaining state
· Flag for status callbacks – e.g. you can get a notice that a particular token is out of scope; e.g. deleted; email addr recycled; e.g. delete your facebook account. It’s gone, nag them to do something else